HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)
-   -   dkim with postfix for CentOS 5.2 - sometimes works, sometimes hardfail (http://www.howtoforge.com/forums/showthread.php?t=34458)

minimumnz 3rd May 2009 14:23

dkim with postfix for CentOS 5.2 - sometimes works, sometimes hardfail
 
I have setup dkim with postfix using this tutorial http://www.howtoforge.com/set-up-dki...ter-centos-5.2 and it seems to be signing emails successfully.

The problem is that in *some* situations the dkim=hardfail at gmail for example.

If I simply do:

# echo hi | mail some@example.com

I get dkim=pass

Here is the header:

Quote:

Received-SPF: pass (google.com: domain of root@sl5.example.com designates 208.43.xxx.xxx as permitted sender) client-ip=208.43.xxx.xxx;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of root@sl5.example.com designates 208.43.xxx.xxx as permitted sender) smtp.mail=root@sl5.example.com; dkim=pass header.i=@sl5.example.com
Received: by sl5.example.com (Postfix, from userid 0)
id 797221A2023B; Sun, 3 May 2009 05:46:34 -0500 (CDT)
X-DKIM: Sendmail DKIM Filter v2.8.2 sl5.example.com 797221A2023B
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=sl5.example.com;
s=default; t=1241347594; bh=u0cQJoM+IKvBViJ+kdF/0Kkf+vQ=;
h=To:Subject:Message-Id: Date:From;
b=B2giQk4tB1jL5vY/I12xZIgkIUy0hA1G18fTNyIMDiJpMooHZhpLMtT67sB2m8zkK
H98axLzikMNQkQ+GBYHlRWnZ2nOrsdkr2sEK9ir9PlZAfdwTd1 Vw5wiA9guy4SXbHE
cg558QYx5nNbPsFUGhPUStySsk4SrdsIihPf1MG0=



However if I send the same email from apache via php for example I get dkim=hardfail.

Quote:

Received-SPF: pass (google.com: domain of apache@sl5.example.com designates 208.43.xxx.xxx as permitted sender) client-ip=208.43.xxx.xxx;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of apache@sl5.example.com designates 208.43.xxx.xxx as permitted sender) smtp.mail=apache@sl5.example.com; dkim=hardfail header.i=@sl5.example.com
Received: by sl5.example.com (Postfix, from userid 48)
id 169981A2023D; Sun, 3 May 2009 05:56:57 -0500 (CDT)
X-DKIM: Sendmail DKIM Filter v2.8.2 sl5.example.com 169981A2023D
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=sl5.example.com;
s=default; t=1241348217; bh=Rv3vD0x4MFbfSvwJVTN3GNvbeyw=;
h=To:Subject:From:Message-Id: Date;
b=IhTU8JOFl0lCgw7mNvCdh+Ppf0gQT/XkeNbaxUuubNMK/FHEewKxmXF7pmGcY0CRJ
jbWg5hChzYo2VYXX+QyYurITTVCKla4+p2PCkeMiZADO8bYpQo Wu7TvBXlZMIdYE6A
5USJEDdjXqyJnjrlFr0Yu9Lc1tbqLqKB3SoyLUb0=

The headers seem almost exactly the same, the email is still getting signed, but it's just failing. I think it must be signing it incorrectly, but I don't know it figures out what to sign it.


Any clues would be much appreciated.

minimumnz 3rd May 2009 16:02

I modified /etc/sysconfig/dkim-milt changed CANON=simple to CANON=relaxed/relaxed and this seem to do the trick.

Problem solved!

topdog 3rd May 2009 18:40

That indicates that something is modifying the email after signing has already taken place. If you sign mails with simple canonizations any modifications lead to failure in verification relaxed canonizations are more tolerant to modifications after signing.

If you got the time take a look at the DKIM RFC available at http://www.ietf.org/rfc/rfc4871.txt


All times are GMT +2. The time now is 23:45.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.